118 lines
3.1 KiB
Go
118 lines
3.1 KiB
Go
package checker
|
|
|
|
import (
|
|
"time"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
var Version = "built-in"
|
|
|
|
func Definition() *sdk.CheckerDefinition {
|
|
def := &sdk.CheckerDefinition{
|
|
ID: "dnssec",
|
|
Name: "DNSSEC operational hygiene",
|
|
Version: Version,
|
|
Availability: sdk.CheckerAvailability{
|
|
ApplyToDomain: true,
|
|
},
|
|
ObservationKeys: []sdk.ObservationKey{ObservationKeyDNSSEC},
|
|
Options: sdk.CheckerOptionsDocumentation{
|
|
AdminOpts: []sdk.CheckerOptionDocumentation{
|
|
{
|
|
Id: "resolver",
|
|
Type: "string",
|
|
Label: "Bootstrap resolver (host:port)",
|
|
Description: "Recursive resolver used to discover the apex name servers and to look up the parent DS. Defaults to /etc/resolv.conf.",
|
|
},
|
|
},
|
|
UserOpts: []sdk.CheckerOptionDocumentation{
|
|
{
|
|
Id: "nsec3IterationsMax",
|
|
Type: "uint",
|
|
Label: "Maximum NSEC3 iterations",
|
|
Description: "RFC 9276 §3.1 sets the recommended ceiling at 0. Increase only if your signer cannot publish 0 yet.",
|
|
Default: defaultNSEC3IterationsMax,
|
|
},
|
|
{
|
|
Id: "nsec3IterationsSeverity",
|
|
Type: "choice",
|
|
Label: "Severity when NSEC3 iterations exceed the ceiling",
|
|
Choices: []string{"warn", "crit"},
|
|
Default: defaultNSEC3IterationsSeverityWarn,
|
|
Description: "Use 'crit' to enforce RFC 9276 strictly.",
|
|
},
|
|
{
|
|
Id: "signatureFreshness",
|
|
Type: "uint",
|
|
Label: "RRSIG freshness WARN threshold (days)",
|
|
Description: "Warn when the closest RRSIG expires in fewer than this many days.",
|
|
Default: defaultSignatureFreshnessDays,
|
|
},
|
|
{
|
|
Id: "signatureFreshnessCrit",
|
|
Type: "uint",
|
|
Label: "RRSIG freshness CRIT threshold (days)",
|
|
Default: defaultSignatureFreshnessCrit,
|
|
},
|
|
{
|
|
Id: "minRSAKeySize",
|
|
Type: "uint",
|
|
Label: "Minimum RSA modulus size (bits)",
|
|
Default: defaultMinRSAKeySize,
|
|
},
|
|
{
|
|
Id: "requireSEP",
|
|
Type: "bool",
|
|
Label: "Require a KSK (DNSKEY with SEP bit)",
|
|
Default: defaultRequireSEP,
|
|
},
|
|
{
|
|
Id: "dnskeyTTLMin",
|
|
Type: "uint",
|
|
Label: "Minimum DNSKEY TTL (seconds)",
|
|
Default: defaultDNSKEYTTLMinSec,
|
|
},
|
|
},
|
|
DomainOpts: []sdk.CheckerOptionDocumentation{
|
|
{
|
|
Id: "domain_name",
|
|
Label: "Zone apex",
|
|
AutoFill: sdk.AutoFillDomainName,
|
|
},
|
|
},
|
|
},
|
|
Rules: []sdk.CheckRule{
|
|
zoneSignedRule{},
|
|
dnskeyConsistentRule{},
|
|
dnskeyQueryOKRule{},
|
|
|
|
algorithmAllowedRule{},
|
|
algorithmModernRule{},
|
|
rsaKeySizeRule{},
|
|
kskPresentRule{},
|
|
dnskeyCountRule{},
|
|
|
|
rrsigPresentDNSKEYRule{},
|
|
rrsigPresentSOARule{},
|
|
rrsigValidityWindowRule{},
|
|
rrsigFreshnessRule{},
|
|
|
|
denialUsesNSEC3Rule{},
|
|
nsec3IterationsRule{},
|
|
nsec3SaltEmptyRule{},
|
|
nsec3OptOutRule{},
|
|
denialConsistentRule{},
|
|
|
|
dnskeyTTLMinRule{},
|
|
},
|
|
HasHTMLReport: true,
|
|
Interval: &sdk.CheckIntervalSpec{
|
|
Min: 5 * time.Minute,
|
|
Max: 24 * time.Hour,
|
|
Default: 1 * time.Hour,
|
|
},
|
|
}
|
|
def.BuildRulesInfo()
|
|
return def
|
|
}
|